OpenWRT IPv6: NAT64 dan DNS64 menggunakan BIND
Sumber:
- http://blog.raorn.name/2012/02/ipv6-only-lan-with-dual-stack-openwrt.html
- http://wiki.openwrt.org/doc/howto/ipv6
tayga semoga sudah di install atau di compile bersama firmware.
Konfigurasi NAT64 interface:
# /etc/config/network
config 'interface' 'nat64' option 'proto' 'tayga' option ipv4_addr 192.0.2.1 option ipv6_addr 2001:470:1f09:xxxx::7f00:1 option prefix 64:ff9b::/96 option dynamic_pool 192.0.2.0/24 option accept_ra 0 option send_rs 0
config interface nat64 option proto tayga option ipv4_addr 192.0.2.1 option ipv6_addr 2001:db8:1::7f00:1 option prefix 64:ff9b::/96 option dynamic_pool 192.0.2.0/24 option accept_ra 0 option send_rs 0
dimana:
- 2001:470:1f09:xxxx::/64 adalah IPv6 prefix di LAN
- 192.0.2.0/24 adalah tayga prefix untuk 4-to-6 mappings
- 64:ff9b::/96 prefix untuk IPv6-mapped IPv4 addresses.
Tambahkan nat64 ke lan firewall zone karena kita perlu secara explisit NAT44 packet untuk 4-to-6 inbound connections:
# /etc/config/firewall config 'zone' option 'name' 'lan' option 'input' 'ACCEPT' option 'output' 'ACCEPT' option 'forward' 'ACCEPT' option 'network' 'lan nat64'
Coba (ifup nat64 interface dan jalankan firewall rules):
# ping6 -c3 64:ff9b::194.87.0.50 PING 64:ff9b::194.87.0.50(64:ff9b::c257:32) 56 data bytes 64 bytes from 64:ff9b::c257:32: icmp_seq=1 ttl=56 time=3.42 ms 64 bytes from 64:ff9b::c257:32: icmp_seq=2 ttl=56 time=3.35 ms 64 bytes from 64:ff9b::c257:32: icmp_seq=3 ttl=56 time=4.04 ms --- 64:ff9b::194.87.0.50 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2040ms rtt min/avg/max/mdev = 3.354/3.610/4.049/0.319 ms
Kita perlu sebuah source untuk AAAA record untuk hosts yang hanya mempunyai A. Ini disebut DNS64 dan di dukung oleh bind 9.8.0 ke atas.
Modifikasi default named.conf:
# /etc/bind/named.conf acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; options { directory "/tmp"; auth-nxdomain no; # conform to RFC1035 allow-query { localnets; localhost; }; listen-on { any; }; listen-on-v6 { any; }; dns64 64:ff9b::/96 { clients { any; }; mapped { !rfc1918; any; }; exclude { 64:ff9b::/96; ::ffff:0000:0000/96; }; suffix ::; }; edns-udp-size 512; max-udp-size 512; };
// prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; };
Semua host di LAN menggunakan bind sebagai nameserver (announced via radvd dan di proses oleh dnssd). Coba:
$ host www.ru www.ru has address 194.87.0.50 www.ru has IPv6 address 64:ff9b::c257:32 www.ru mail is handled by 5 hq.demos.ru. $ host 194.87.0.50 50.0.87.194.in-addr.arpa domain name pointer www.ru. $ host 64:ff9b::c257:32 2.3.0.0.7.5.2.c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.9.f.f.4.6.0.0.ip6.arpa is an alias for 50.0.87.194.in-addr.arpa. 50.0.87.194.in-addr.arpa domain name pointer www.ru.
Untuk memberikan IPv4 hosts access ke layanan di IPv6-olny network?
Kita perlu mengkonfigurasi NAT44 ke sebuah address dari tayga dynamic pool:
# /etc/config/firewall
# rule for tayga to create static mapping config 'nat64' option 'ipv4_addr' '192.0.2.32' option 'ipv6_addr' '2001:470:1f09::xxxx::yyyy:zzzz' # rule for OpenWRT firewall to redirect traffic on port 25 config 'redirect' option 'src' 'wan' option 'proto' 'tcp' option 'src_dport' '25' option 'dest_ip' '192.0.2.32' option 'target' 'DNAT' option 'dest' 'lan' # rule OpenWRT firewall to permit access to port 25 to LAN host config 'rule' option 'target' 'ACCEPT' option 'src' 'wan' option 'dest' 'lan' option 'proto' 'tcp' option 'dest_ip' '2001:470:1f09:xxxx::yyyy:zzzz' option 'dest_port' '25' option 'family' 'ipv6'
Last rule is only needed to provide access to my SMTP service via native IPv6. Since nat64 interface belongs to lan firewall zone there's no need to premit traffic from 64:ff9b::/64, it is already done by permitting traffic to 192.0.2.32 (processed by redirect rule).
An now we can see some dirty spammers in maillog:
Feb 17 12:23:31 hell postfix/smtpd[12288]: connect from 114-42-157-193.dynamic.hinet.net[64:ff9b::722a:9dc1] Feb 17 12:23:31 hell postfix/smtpd[12288]: warning: non-SMTP command from 114-42-157-193.dynamic.hinet.net[64:ff9b::722a:9dc1]: GET http://www.scanproxy.com:80/p-25.html HTTP/1.0